API tools faq
paste
Guest User

CanYouCrackIt.co.uk Solutions

a guest
Dec 3rd, 2011
9,931
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.08 KB | None | 0 0
raw download clone embed print report
  1. CanYouCrackIt.co.uk Walk-Through & Solution
  2. 12-11
  3.  
  4. [+]Contents
  5. ----------------
  6. 1. Background |
  7. 2. Requirements|
  8. 3. Stage One |
  9. 4. Stage Two |
  10. 5. Stage Three |
  11. 6. The End...? |
  12. ----------------
  13.  
  14.  
  15. [+] Background
  16. ---------------
  17. Earlier this week a mysterious website appeared at the url canyoucrackit.co.uk.
  18. I saw the url being passed around Twitter and eventually my curiousity got the best of me.
  19. At first, not much was known about the purpose or origin on the website and the code challenge
  20. displayed. The goal is obviously to break the code that appears in the image and enter the password afterwards.
  21. Well, it turns out that the website is hosted by GCHQ. The United Kingdom's spy agency. The website is their advertisement for a job application, more or less. After you complete the challenge, enter the code and click 'Okay' you are redirected to a website where you can apply for a job at the MI5 as a 'Cyber Security Specialist.' Unfortunately, the job only offers 25k yearly to start. And you need to be a UK citizen. Starting to look like alot of work for not much reward, right? Again, my curiousity won and I tried my luck at cracking the code...not for the job but just for the satisfaction of actually completing it.
  22. I did cheat alittle bit for the second stage of the challenege. You'll see why...
  23.  
  24.  
  25. [+] Requirements
  26. -----------------
  27. * NASM
  28. * Cygwin w/ needed DLLs
  29. * GDB
  30. * Hex Editor
  31. * Coding Knowledge (C/C++ or Python)
  32. * Objdump
  33. * Patience, Cigarettes & Coffee
  34.  
  35.  
  36.  
  37. [+] Stage One
  38. -------------------
  39. Visit canyoucrackit.co.uk and save the image file that contains the code (cyber.png)
  40. You can either manually copy the code in the image or feed the image into an OCR.
  41. After you have the code saved to a text file, open up cyber.png in your Hex Editor. I used GHex.
  42. When you open cyber.png in the hex editing application, in the beginning you should notice a string that starts with 'iTXtComment' followed by a string of numbers and letters which end with '==' That is a base64 code.
  43. Save the base64 string, decode it and add it to the beginning of your code from the image.
  44.  
  45. Base64 Code:
  46. QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR78jKLw==
  47.  
  48. Image Code:
  49. eb 04 af c2 bf a3 81 ec 00 01 00 00 31 c9 88 0c
  50. 0c fe c1 75 f9 31 c0 ba ef be ad de 02 04 0c 00
  51. d0 c1 ca 08 8a 1c 0c 8a 3c 04 88 1c 04 88 3c 0c
  52. fe c1 75 e8 e9 5c 00 00 00 89 e3 81 c3 04 00 00
  53. 00 5c 58 3d 41 41 41 41 75 43 48 3d 42 42 42 42
  54. 75 3b 5a 89 d1 89 e6 89 df 29 cf f3 a4 89 de 89
  55. d1 89 df 29 cf 31 c0 31 db 31 d2 fe c0 02 1c 06
  56. 8a 14 06 8a 34 1e 88 34 06 88 14 1e 00 f2 30 f6
  57. 8a 1c 16 8a 17 30 da 88 17 47 49 75 de 31 db 89
  58. d8 fe c0 cd 80 90 90 e8 9d ff ff ff 41 41 41 41
  59.  
  60. Save your file that combines these two codes as a binary file.
  61. Run this through objdump with: objdump -d -D -b binary -mi386 crackme.bin
  62. Open with your debugger (gdb) and set a breakpoint at the INT 0x80 call. When it hits your breakpoint, use the gdb command 'bt' (which dumps the current stack.) A decrypted string will be visible in the stack dump.
  63. GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1
  64.  
  65. Throw that in your browser behind canyoucrackit.co.uk and you're on your way to Stage Two!
  66. You feel elite all ready, right? Yeah, I thought so..
  67.  
  68. *Stage One Solution: http://canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js
  69.  
  70.  
  71. [+] Stage Two
  72. ------------------
  73. Download the .js file from the url you visited as the Stage One solution. The js file contains VM information that you need to emulate and then dump the memory while emulating to find the next clue. When you run the VM emulation code you write, once the VM reaches the HLT instruction the memory will contain a large chunk of data. This data contains two decryption codes and the solution text which is decrypted by the 2nd decryption code in the data chunk.
  74. To be honest, this is where I cheated alittle bit. Writing a python or C code to emulate a VM didn't exactly sound like a good use of time to me. It's not especially hard but the code is just long and involved. So I googled around a bit and found a Pastebin.com link to a Python script someone all ready had written for this exact challenge. There wasn't an authors name attached to the file but whoever you are, I thank you kindly.
  75. The code is listed directly below. It will run the VM and needed decryption and finally dump the memory that includes the decrypted string. Copy this code, save it as stage2.py and run.
  76.  
  77. --------------------------------Stage Two Solution Code---------------------------------------
  78. #!/usr/bin/python
  79.  
  80.  
  81.  
  82.  
  83.  
  84. mem=[0x31, 0x04, 0x33, 0xaa, 0x40, 0x02, 0x80, 0x03, 0x52, 0x00, 0x72, 0x01, 0x73, 0x01, 0xb2, 0x50,0x30, 0x14, 0xc0, 0x01, 0x80, 0x00, 0x10, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x98, 0xab, 0xd9, 0xa1, 0x9f, 0xa7, 0x83, 0x83, 0xf2, 0xb1, 0x34, 0xb6, 0xe4, 0xb7, 0xca, 0xb8,0xc9, 0xb8, 0x0e, 0xbd, 0x7d, 0x0f, 0xc0, 0xf1, 0xd9, 0x03, 0xc5, 0x3a, 0xc6, 0xc7, 0xc8, 0xc9,0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9,0xda, 0xdb, 0xa9, 0xcd, 0xdf, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9,0x26, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9,0x7d, 0x1f, 0x15, 0x60, 0x4d, 0x4d, 0x52, 0x7d, 0x0e, 0x27, 0x6d, 0x10, 0x6d, 0x5a, 0x06, 0x56,0x47, 0x14, 0x42, 0x0e, 0xb6, 0xb2, 0xb2, 0xe6, 0xeb, 0xb4, 0x83, 0x8e, 0xd7, 0xe5, 0xd4, 0xd9,0xc3, 0xf0, 0x80, 0x95, 0xf1, 0x82, 0x82, 0x9a, 0xbd, 0x95, 0xa4, 0x8d, 0x9a, 0x2b, 0x30, 0x69,0x4a, 0x69, 0x65, 0x55, 0x1c, 0x7b, 0x69, 0x1c, 0x6e, 0x04, 0x74, 0x35, 0x21, 0x26, 0x2f, 0x60,0x03, 0x4e, 0x37, 0x1e, 0x33, 0x54, 0x39, 0xe6, 0xba, 0xb4, 0xa2, 0xad, 0xa4, 0xc5, 0x95, 0xc8,0xc1, 0xe4, 0x8a, 0xec, 0xe7, 0x92, 0x8b, 0xe8, 0x81, 0xf0, 0xad, 0x98, 0xa4, 0xd0, 0xc0, 0x8d,0xac, 0x22, 0x52, 0x65, 0x7e, 0x27, 0x2b, 0x5a, 0x12, 0x61, 0x0a, 0x01, 0x7a, 0x6b, 0x1d, 0x67,0x75, 0x70, 0x6c, 0x1b, 0x11, 0x25, 0x25, 0x70, 0x7f, 0x7e, 0x67, 0x63, 0x30, 0x3c, 0x6d, 0x6a,0x01, 0x51, 0x59, 0x5f, 0x56, 0x13, 0x10, 0x43, 0x19, 0x18, 0xe5, 0xe0, 0xbe, 0xbf, 0xbd, 0xe9,0xf0, 0xf1, 0xf9, 0xfa, 0xab, 0x8f, 0xc1, 0xdf, 0xcf, 0x8d, 0xf8, 0xe7, 0xe2, 0xe9, 0x93, 0x8e,0xec, 0xf5, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x37, 0x7a, 0x07, 0x11, 0x1f, 0x1d, 0x68, 0x25, 0x32, 0x77, 0x1e, 0x62, 0x23, 0x5b, 0x47, 0x55,0x53, 0x30, 0x11, 0x42, 0xf6, 0xf1, 0xb1, 0xe6, 0xc3, 0xcc, 0xf8, 0xc5, 0xe4, 0xcc, 0xc0, 0xd3,0x85, 0xfd, 0x9a, 0xe3, 0xe6, 0x81, 0xb5, 0xbb, 0xd7, 0xcd, 0x87, 0xa3, 0xd3, 0x6b, 0x36, 0x6f,0x6f, 0x66, 0x55, 0x30, 0x16, 0x45, 0x5e, 0x09, 0x74, 0x5c, 0x3f, 0x29, 0x2b, 0x66, 0x3d, 0x0d,0x02, 0x30, 0x28, 0x35, 0x15, 0x09, 0x15, 0xdd, 0xec, 0xb8, 0xe2, 0xfb, 0xd8, 0xcb, 0xd8, 0xd1,0x8b, 0xd5, 0x82, 0xd9, 0x9a, 0xf1, 0x92, 0xab, 0xe8, 0xa6, 0xd6, 0xd0, 0x8c, 0xaa, 0xd2, 0x94,0xcf, 0x45, 0x46, 0x67, 0x20, 0x7d, 0x44, 0x14, 0x6b, 0x45, 0x6d, 0x54, 0x03, 0x17, 0x60, 0x62,0x55, 0x5a, 0x4a, 0x66, 0x61, 0x11, 0x57, 0x68, 0x75, 0x05, 0x62, 0x36, 0x7d, 0x02, 0x10, 0x4b,0x08, 0x22, 0x42, 0x32, 0xba, 0xe2, 0xb9, 0xe2, 0xd6, 0xb9, 0xff, 0xc3, 0xe9, 0x8a, 0x8f, 0xc1,0x8f, 0xe1, 0xb8, 0xa4, 0x96, 0xf1, 0x8f, 0x81, 0xb1, 0x8d, 0x89, 0xcc, 0xd4, 0x78, 0x76, 0x61,0x72, 0x3e, 0x37, 0x23, 0x56, 0x73, 0x71, 0x79, 0x63, 0x7c, 0x08, 0x11, 0x20, 0x69, 0x7a, 0x14,0x68, 0x05, 0x21, 0x1e, 0x32, 0x27, 0x59, 0xb7, 0xcf, 0xab, 0xdd, 0xd5, 0xcc, 0x97, 0x93, 0xf2,0xe7, 0xc0, 0xeb, 0xff, 0xe9, 0xa3, 0xbf, 0xa1, 0xab, 0x8b, 0xbb, 0x9e, 0x9e, 0x8c, 0xa0, 0xc1,0x9b, 0x5a, 0x2f, 0x2f, 0x4e, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
  85.  
  86. vm_instructions= ["jmp", "movr", "movm", "add", "xor", "cmp", "jmpe", "hlt"]
  87.  
  88. vm_segment_size=0x10
  89.  
  90. cs=4
  91.  
  92. ds=5
  93.  
  94. def ModDetect(opcode):
  95.  
  96. if (opcode&0x10)==0:
  97.  
  98. return False
  99.  
  100. return True
  101.  
  102. def GetOpcode(opcode):
  103.  
  104. return (opcode>>5)
  105.  
  106. def GetOperand1(opcode):
  107.  
  108. return (opcode&0x0F)
  109.  
  110. ########################################################################
  111.  
  112. class _VM_CPU:
  113.  
  114. vm_ip=0
  115.  
  116. vm_reg=[0 for i in range(6)]
  117.  
  118. vm_flag=0
  119.  
  120. class VirtualMachine:
  121.  
  122. vm_cpu=_VM_CPU()
  123.  
  124. mem=[]
  125.  
  126. def __init__(self,mem):
  127.  
  128. self.mem=mem
  129.  
  130. self.vm_cpu.vm_reg[ds]=0x10
  131.  
  132. print "ip:%3X" %(self.vm_cpu.vm_ip),
  133.  
  134. print "fl:%2X" % (self.vm_cpu.vm_flag),
  135.  
  136. print "r0:%2X" % (self.vm_cpu.vm_reg[0]),
  137.  
  138. print "r1:%2X" % (self.vm_cpu.vm_reg[1]),
  139.  
  140. print "r2:%2X" % (self.vm_cpu.vm_reg[2]),
  141.  
  142. print "r3:%2X" % (self.vm_cpu.vm_reg[3]),
  143.  
  144. print "cs:%2X" % (self.vm_cpu.vm_reg[cs]),
  145.  
  146. print "ds:%2X" % (self.vm_cpu.vm_reg[ds])
  147.  
  148. while 1:
  149.  
  150. self.execute(self.vm_cpu.vm_ip)
  151.  
  152.  
  153.  
  154. def execute(self,ip):
  155.  
  156. if (ip>(len(self.mem)-1)):
  157.  
  158. return False
  159.  
  160. opcode=self.mem[ip]
  161.  
  162. vm_opcode=GetOpcode(opcode)
  163.  
  164. vm_mod=ModDetect(opcode)
  165.  
  166. vm_operand1=GetOperand1(opcode)
  167.  
  168. #if vm_mod:
  169.  
  170. #vm_operand2=self.mem[ip+1]
  171.  
  172. vm_operand2=self.mem[ip+1]
  173.  
  174. self.vm_cpu.vm_ip+=2
  175.  
  176. if vm_opcode==0:
  177.  
  178. if vm_mod: #jmp`
  179.  
  180. if vm_operand2>=0x10:
  181.  
  182. self.vm_cpu.vm_reg[cs]=0x10
  183.  
  184. print "%X %s` r%d:r%d" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  185.  
  186. self.vm_cpu.vm_ip=self.vm_cpu.vm_reg[cs]*vm_segment_size+(vm_operand2-self.vm_cpu.vm_reg[cs])*vm_segment_size+self.vm_cpu.vm_reg[vm_operand1]
  187.  
  188. #self.vm_cpu.vm_ip=self.vm_cpu.vm_reg[vm_operand2]*0x10+self.vm_cpu.vm_reg[vm_operand1]
  189.  
  190. else: #jmp
  191.  
  192. print "%X %s r%d" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1)
  193.  
  194. self.vm_cpu.vm_ip=self.vm_cpu.vm_reg[cs]*vm_segment_size+self.vm_cpu.vm_reg[vm_operand1]
  195.  
  196. elif vm_opcode==1:
  197.  
  198. if vm_mod: #movr`
  199.  
  200. print "%X %s` r%d,%X" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  201.  
  202. self.vm_cpu.vm_reg[vm_operand1]=vm_operand2
  203.  
  204. else: #movr
  205.  
  206. #print "%X %s r%d,r%d" % (opcode,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  207.  
  208. print "%X %s r%d,r%d" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  209.  
  210. self.vm_cpu.vm_reg[vm_operand2]=self.vm_cpu.vm_reg[vm_operand1]
  211.  
  212. elif vm_opcode==2:
  213.  
  214. if vm_mod==False: #movm
  215.  
  216. print "%X %s r%d,[ds:r%d]" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  217.  
  218. self.vm_cpu.vm_reg[vm_operand1]=self.mem[self.vm_cpu.vm_reg[ds]*vm_segment_size+self.vm_cpu.vm_reg[vm_operand2]]
  219.  
  220. else: #movm`
  221.  
  222. print "%X %s` [ds:r%d],r%d" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  223.  
  224. self.mem[self.vm_cpu.vm_reg[ds]*vm_segment_size+self.vm_cpu.vm_reg[vm_operand1]]=self.vm_cpu.vm_reg[vm_operand2]
  225.  
  226. elif vm_opcode==3:
  227.  
  228. if vm_mod: #add`
  229.  
  230. print "%X %s` r%d,%X" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  231.  
  232. self.vm_cpu.vm_reg[vm_operand1]+=vm_operand2
  233.  
  234. else: #add
  235.  
  236. print "%X %s r%d,r%d" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  237.  
  238. self.vm_cpu.vm_reg[vm_operand1]+=self.vm_cpu.vm_reg[vm_operand2]
  239.  
  240. elif vm_opcode==4: #xor
  241.  
  242. if vm_mod:
  243.  
  244. print "%X %s` r%d,%X" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  245.  
  246. self.vm_cpu.vm_reg[vm_operand1]^=vm_operand2
  247.  
  248. else:
  249.  
  250. #print "%X %s r%d,r%d" % (opcode,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  251.  
  252. print "%X %s r%d,r%d" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  253.  
  254. self.vm_cpu.vm_reg[vm_operand1]^=self.vm_cpu.vm_reg[vm_operand2]
  255.  
  256. elif vm_opcode==5:
  257.  
  258. if vm_mod: #cmp`
  259.  
  260. print "%X %s` r%d,%X" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  261.  
  262. if(self.vm_cpu.vm_reg[vm_operand1]==vm_operand2):
  263.  
  264. self.vm_cpu.vm_flag=0
  265.  
  266. elif(self.vm_cpu.vm_reg[vm_operand1]>vm_operand2):
  267.  
  268. self.vm_cpu.vm_flag=1
  269.  
  270. else:
  271.  
  272. self.vm_cpu.vm_flag=0xff
  273.  
  274. else: #cmp
  275.  
  276. print "%X %s r%d,r%d" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  277.  
  278. if(self.vm_cpu.vm_reg[vm_operand1]==self.vm_cpu.vm_reg[vm_operand2]):
  279.  
  280. self.vm_cpu.vm_flag=0
  281.  
  282. elif(self.vm_cpu.vm_reg[vm_operand1]>self.vm_cpu.vm_reg[vm_operand2]):
  283.  
  284. self.vm_cpu.vm_flag=1
  285.  
  286. else:
  287.  
  288. self.vm_cpu.vm_flag=0xff
  289.  
  290. elif vm_opcode==6:
  291.  
  292. if vm_mod: #jmpe`
  293.  
  294. print "%X %s` r%d,%X" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1,vm_operand2)
  295.  
  296. if self.vm_cpu.vm_flag==0:
  297.  
  298. #far jump
  299.  
  300. if vm_operand2>=0x10:
  301.  
  302. self.vm_cpu.vm_reg[cs]=0x10
  303.  
  304. self.vm_cpu.vm_ip=self.vm_cpu.vm_reg[cs]*vm_segment_size+(vm_operand2-self.vm_cpu.vm_reg[cs])*vm_segment_size+self.vm_cpu.vm_reg[vm_operand1]
  305.  
  306. else: #jmpe
  307.  
  308. print "%X %s r%d" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode],vm_operand1)
  309.  
  310. if self.vm_cpu.vm_flag==0:
  311.  
  312. self.vm_cpu.vm_ip=self.vm_cpu.vm_reg[cs]*vm_segment_size+self.vm_cpu.vm_reg[vm_operand1]
  313.  
  314. else:
  315.  
  316. #len 1
  317.  
  318. self.vm_cpu.vm_ip-=1
  319.  
  320. elif vm_opcode==7:
  321.  
  322. print "%X %s" % (self.vm_cpu.vm_ip,vm_instructions[vm_opcode])
  323.  
  324. print "".join(["%c"%self.mem[i] for i in range(0,len(self.mem))])
  325.  
  326. # print "%c" % (self.mem[i])
  327.  
  328. exit()
  329.  
  330. else:
  331.  
  332. print "unrecognised opcode"
  333.  
  334. exit()
  335.  
  336. print "ip:%3X" %(self.vm_cpu.vm_ip),
  337.  
  338. print "fl:%2X" % (self.vm_cpu.vm_flag),
  339.  
  340. print "r0:%3X" % (self.vm_cpu.vm_reg[0]),
  341.  
  342. print "r1:%3X" % (self.vm_cpu.vm_reg[1]),
  343.  
  344. print "r2:%3X" % (self.vm_cpu.vm_reg[2]),
  345.  
  346. print "r3:%3X" % (self.vm_cpu.vm_reg[3]),
  347.  
  348. print "cs:%3X" % (self.vm_cpu.vm_reg[cs]),
  349.  
  350. print "ds:%3X\n" % (self.vm_cpu.vm_reg[ds])
  351.  
  352. return True
  353.  
  354. vm=VirtualMachine(mem)
  355. -----------------------------------------------------------------------------------------------
  356. The important part of the output is listed at the very bottom.
  357. GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.07z
  358.  
  359. By now you should know what to do with that...
  360.  
  361. *Stage Two Solution: http://canyoucrackit.co.uk/da75370fe15c4148bd4ceec861fbdaa5.exe
  362.  
  363.  
  364.  
  365. [+] Stage Three
  366. ---------------------
  367. So you just downloaded the .exe file from the Stage Two solution. This level, in my opinion, was the hardest part. This is also where some of those requirements I listed above come in handy. I renamed the .exe file to stagethree.exe just to make it easier. First off, I opened up stagethree.exe in my hex editor. I scrolled down back all the semi-non-important data until I found what I was looking for.
  368.  
  369.  
  370. hqDTK7b8K2rv..keygen.exe...usage: keygen.exe hostname..r.license.txt..error: license.txt not found..%s..loading stage1 license key(s).......loading stage2 license key(s)......error: license.txt invalid...error: gethostbyname() failed..error: connect("%s") failed..GET /%s/%x/%x/%x/key.txt HTTP/1.0.....HTTP/1.0.....request:..%s.error: send() failed..response
  371.  
  372. I was right to rename the .exe file, but the correct name is keygen.exe. Judging by the above code from the hex dump, you can tell keygen.exe takes hostname as a parameter, reads license.txt (which should hold a key from stage1 and another key from stage2.) In the beginning of the code inspection we also see 'gchq'. I thought that was interesting so let's keep that around for a while. Scrolling down further in the hex reveals that the .exe file relies on Cygwin DLLs for encryption/decryption. We can also tell by the code that once the correct license.txt file is supplied the application makes a request to: hostname/%s/%x/%x/%x/key.txt
  373. Examining the code further the license.txt format appears below as:
  374.  
  375. Four Bytes - 8 Bytes - 4 Bytes - 4 Bytes - 4 Bytes
  376.  
  377. gchq is four bytes and was found in the beginning of the code so let's give that a shot. This was really just an incredibly lucky guess that turned out to be correct.
  378. This is where the hqDTK7... string comes in handy. The code next uses that string has a salt for an 8 byte password. The solution to that cracked hash is cyberwin (8 bytes). Giving us gchqcyberwin.
  379.  
  380. Now, it's obvious that we need three more keys to finish the license.txt and get the application to complete our request. The application itself gives me 2 very obvious clues by saying 'stage1 license key(s)' and 'stage2 license key(s)'. What did we skip over from the first two stages that might be the keys to this puzzle?
  381. In Stage One, at the very beginning of the supplied code, the instructions jump over exactly 4 bytes. 0xa3bfc2af. Also, in Stage Two, the variable of 'firmware' is completely unused in the VM emulation and gives us two more four-byte codes. 0xd2ab1f05 and 0xda13f110.
  382.  
  383. gchq + cyberwin + 0xa3bfc2af + 0xd2ab1f0t + 0xda13f110
  384. OR
  385. hqDTK7b8K2rv + 0xa3bfc2af + 0xd2ab1f0t + 0xda13f110
  386.  
  387. will give us the solution for: GET /%s/%x/%x/%x/key.txt
  388. Trying the obvious, let's input that exact keys into each respective slot of the URL and try to vist
  389. canyoucrackit.co.uk/gchqcyberwin/0xa3bfc2af/0xd2ab1f0t/0xda13f110/key.txt
  390.  
  391. Nope, not it. Damnit.
  392.  
  393. Next I tried it by replacing gchqcyberwin with the hash for that same key.
  394. canyoucrackit.co.uk/hqDTK7b8K2rv/0xa3bfc2af/0xd2ab1f0t/0xda13f110/key.txt
  395. Still no luck.
  396.  
  397. After trying various seemingly random combinations of URLs and changing the order of variables, I eventually landed on the right answer.
  398. For each of the last 3 keys, you need to remove '0x' from the beginning of the string.
  399. Giving you the final answer of:
  400. /hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt
  401.  
  402. Throw that string behind canyoucrackit.co.uk and we have a winner!
  403.  
  404. http://canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt
  405. That URL will return the string: Pr0t3ct!on#cyber_security@12*12.2011+
  406.  
  407. Return to the main CanYouCrackIt URL, enter that string in the password prompt and enter.
  408. You'll be directed to canyoucrackit.co.uk/soyoudidit.asp
  409.  
  410. Following that link, you get directed to the GCHQ career application page. Bravo!
  411.  
  412.  
  413.  
  414. [ohdae]
  415.  
  416.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!